Web Attacks
Skills Assessment
Authenticate to 94.237.49.11 with user "htb-student" and password "Academy_student!"
Intercept Login of htb-student
GET /api.php/user/74
Send to Intruder and fuzz from 1 to 100 with number list.
Administrator role is at uid 52.
Reset password of a.corrales via current session of htb-student
Get API token of a.corrales with uid=52
Change uid and token value in GET /reset.php?uid=
a.corrales:francis
Click Add Event and intercept the traffic with burp.
XML data use XXE local file disclosure on name field.
Last updated